Thanks for proving Bernstein right
Posted Nov 4, 2007 16:41 UTC (Sun) by man_ls
In reply to: Thanks for proving Bernstein right
Parent article: Daniel Bernstein: ten years of qmail security
surely you didn't meant to say that simply dereferencing a pointer is a bug? ;-)
Ehm, my C is a little rusty, but no :D I rather meant null pointer dereference, double dereference or whatever other strange things are allowed in C that lead to security problems.
Every bug has the potential to be a security problem, one way or the other.
That is a belief originated by OpenBSD people which is not shared by many. "Potential" is a weak word, but anyway the potential security problems related to many bugs is near zero. Some bugs are purely aesthetic, others just make things work wrong with no side effects. Some languages help keep side effects to a minimum, others don't.
Some security issues are not even bugs; failure to validate an input string maybe an excess of confidence, but it cannot be considered a bug unless you assume the string might come from a hostile party. Most program specifications just say what should happen, not what should not happen.
My experience is
that there aren't less bugs in Java code than in C code.
Of course not, but I much rather prefer a NullPointerException than an undesired intrusion.
to post comments)